governance

  • SAP Audit Management Powered by HANA

    Transform audit. Move beyond Assurance.

    SAP Audit Management Scope

     Why SAP AM? The Big Picture.

    Streamline audits
    by leveraging technology
    to create, organise,
    and share working papers.

    Audit Management is an enterprise platform for internal audit management. It is an addition to Governance, Risk, and Compliance (GRC) offering dedicated to internal audit modules.

    SAP Audit Management Scope

    SAP Audit Management offers a value proposition based in streamlined audit planning and execution as well as integration with and deeper contributions to enterprise risk management as well as control and compliance management. SAP’s solution stands out by offering the SAP HANA in-memory database and integration with SAP Fraud Management, SAP GRC Process Control and SAP GRC Risk Management. The resulting solution focuses on audit process management with added support for rapid review and analysis of heterogeneous data sets. This combination of capabilities offers a key differentiator for SAP in a solution landscape primarily focused on audit planning and execution.

    Positioning Audit Management

    SAP AM has been developed and posited in line with overall SAP products roadmap:

    SAP Audit Management Scope

    Automate non-negotiable assurance activities:
    Streamline and unlock working papers, sharpen audit planning with risk based tools and increase productivity with mobile capabilities.
    Integrate and align for continues assurance:
    Integrate Audit Management with SAP GRC solutions to focus on critical business risks and with ERP systems and monitor controls and shift from periodic to continues assurance.
    Shift internal audit from policeman to trusted advisor:
    Leverage SAP Analytics and SAP HANA to monitor enterprise level issues and uncover new business opportunities.

    SAP Audit Management Three Core Differentiating Features

    Audit Management.
    The foundation of the solution is a flexible project management and collaboration platform for internal audits.
    Visibility to
    Enterprise Risk
    Needs.
    SAP Audit Management integrates with SAP GRC Risk Management and SAP GRC Process Control to ensure that audits are aligned to top enterprise risks.
    HANA Foundation.
    SAP Audit Management is built on SAP’s HANA in-memory database. This enhances Audit Management’s search capabilities, helping users to locate information distributed across large and diverse sets of applications and documents in very little time.

    SAP Audit Management Scope

    What this solution is specifically designed to accomplish:

    Elevate the impact of audit efforts
    by using technology
    to provide insight
    on key business risks.

    • Create a state-of-the art UI to provide easy to use audit software;
    • Provide centralised audit data storage and a data model covering end-to-end audit processes with a risk-based approach;
    • Shift from functional audit solution approach to collaborative software increasing the effectiveness of audit experts and increasing stakeholder engagement;
    • Allow unstructured data search to release available information from audit work papers;
    • Streamline working paper management with drag and drop, off-line capability;
    • Create a fully mobile enabled solution – audit with any device – anywhere;
    • Leverage automated deployment on the cloud with SAP HANA;
    • Integrate with SAP GRC solutions and big data capabilities to transform audit.

    SAP Audit Management – Capabilities Delivered

    Amplify the influence
    and value of internal audit
    by using next generation analytics
    to provide advice
    beyond the obvious.

    • Full coverage of audit process: Plan, Prepare, Perform, Communicate, Monitor;
    • Flexible Audit Universe provides a single source of all audit functionality and a global monitor of audit requests;
    • Powerful Working Paper Management – working papers created simply via drag and drop and accessed with a single click, enabling manager review;
    • Global monitoring of findings and follow-ups;
    • Mobile capability (voice, photo, video, document) to instantly capture audit evidence, enabling easy access to end-to-end process on multiple devices;
    • Search capability reaches all audit data via a simple search and one click;
    • Intuitive and user friendly interfaces;
    • General conformance to IIA Standards.

    Business Benefits

    Effectiveness
    of audit planning
    and prioritization
    • Maximise of % of productive time per auditor
    • Increase in use of working papers and documentation for planning and reporting
    • Decrease in total staff time per audit
    Speed
    and frequency
    of audit completion
    • Reduction in audit cycle time (Initiate to report)
    • Rapid search
    • Review of large volumes of heterogeneous data
    Attention
    to deeper
    insights
    • Linkages between audit and risk management
    • Linkages between audit and fraud management
    • Linkages between audit and process control

  • SAP GRC Implementation

    The regulations, such as the Sarbanes-Oxley Act, require companies to document their business processes, identify risks and define controls to mitigate them, and regularly demonstrate the effectiveness of those controls.

    To comply with these regulations and to protect the integrity of the business data, the organizations need to go beyond the static documentation of internal controls to actively ensuring that they are effectively guarding against fraud and errors, while streamlining business processes to reduce costs and inefficiencies.

    Sarbanes–Oxley (SOX) 2002 Act History

    • Known as the “Public Company Accounting Reform and Investor Protection Act”.
    • Issued in as a response to a number of major corporate and accounting scandals Enron, Tyco International, WorldCom.
    • Since then SOX-type laws have been subsequently enacted in Japan, Germany, France, Italy, Australia, Israel, India, South Africa, and Turkey.
    • Sections 3. Corporate Responsibility (accuracy and validity of FS) and 4. Enhanced Financial Disclosures (off balance sheet) are directly related to system functions.

    The most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt

    Signed with comments from the US president Into Law

    Compliance and SOX. What’s it all about?

    Expects
    • Greater scrutiny
    • Shareholder protection
    • Legal responsibility from the finance system (people, processes, and technology)

    Demands
    • Increased visibility and control
    • Decreased cycle times
    • Improved forecasting accuracy and timeliness

    Rewards
    • Reduced costs
    • Greater transparency
    • Increased accuracy

    Controls Already Delivered by SAP

    SAP GRC

    Inherent Controls

    • Integrated balanced posting
    • Real time online data and Document Principle
    • Monitor questionable postings for review and approval
    • System retained transaction, program change, and configuration history
    • Internal controls structure monitoring

    Configurable Controls

    • Edit checks and tolerances
    • Required and system populated fields
    • Defaulted and predefined master data
    • Reason codes
    • User defined error/warning messages
    • Automatic integrated posting following predefined posting keys
    • Workflow

    Reporting Controls

    • Timely closing process monitoring capabilities
    • Delivered standard reports contained in easily accessible report tree
    • Context sensitive help
    • XBRL reporting capability
    • System supplied auditing capabilities
      • Audit trails
      • Changed document log
      • Document flow

    Security Controls (via SAP GRC)

    • Flexible user access and permissions to programs, transactions, tables, and fields
    • Both coarse and fine-grain authorization management including segregation of duties via comprehensive authorization mechanism
    • Detection and prevention of unauthorized access
    • Includes a Delivered toolkit to promote efficient, effective creation and maintenance of user profiles and assignments

    SAP Governance, Risk, and Compliance (GRC)

    SAP GRC helps organizations enhance their governance, risk and compliance (GRC) processes. The product suite contains a set of tools which allow risk and compliance teams to effectively, proactively, and pervasively manage risks and controls within a single platform.

    SAP GRC is an advanced set of technology solution that enables you to turn your policies and procedures into automated processes, ensuring that policies do not simply exist on paper but are automatically implemented as part of your workflow.

    • Access Control (AC)
    • Process Control (PC)
    • Risk Management (RM)

    Are three integrated modules allowing pervasive risk management across business processes and user access activities by enhancing key automated monitoring and risk reporting capabilities.

    Vinci Solutions help organizations evaluate and implement GRC solutions.

    Understanding how the technology you have supports compliance will enable you to be proactive in dealing with regulatory issues.

    The implementation process includes:

    • Technical installation of the products;
    • Configuration and deployment of the complete GRC suite, including:
      • Analyze and Manage Access Risks,
      • Provision and Manage Users,
      • Design and Manage Roles, and
      • Centralized Emergency Access;
    • Workshops with key business process owners to adjust delivered Segregation of Duties (SoD) risk levels to reflect company's unique requirements;
    • Adjustments of SAP transactions included in the different Segregation of Dutiesdefinitions;
    • Integration custom SAP transactions into company's SoD rule set;
    • Project management and coordination among executive management, IT, business teams, and auditors to obtain input on Segregation of Dutiesrisk levels, and the workflow approval process;
    • Training on SAP Governance, Risk and Compliance and Best Practices;
    • Access risk mitigation across multiple ERPs;
    • Performing Segregation of Duties simulations for role-level and user-level changes to determine the impact of removing sensitive or conflicting transactions.

  • SAP GRC Product Overview

    By utilizing SAP GRC Product range the organizations gain a clear understanding of the enterprise control matrix, the ability to identify critical control gaps, maximize opportunities to use automated process controls, consolidate to eliminate redundancies, and, ultimately, increase business predictability and shareholder value.

    SAP GRC Access Control

    SAP GRC Access Control provides central management of Segregation of Duties (SOD) and Firefighter IDs access across multiple ERP systems.

    Access Risk
    Analysis
    • Simplifies remediation and mitigation processes;
    • Manages and assigns compensating controls.
    Access Request
    Management
    • Enables "Business Concept" within the role design and provisioning process;
    • Automates user provisioning and incorporates Access Risk Analysis into the process.
    Emergency Access
    Management
    • Streamlines temporary super-user access by adding workflow;
    • Addresses the issue of managing elevated levels of user access when dealing with an exceptional situation;
    • Enables audit log for actions taken by the user with elevated access.
    Business Role
    Management
    • Provides a streamlined and controlled process for the design, development and deployment of compliant roles;
    • Helps at an early stage to ensure that role configuration changes do not lead to access violations in the production system.

    SAP GRC Process Control

    SAP GRC Process Control enables automated monitoring of controls and workflow alerts.

    • Includes monitoring of transactional records and configuration;
    • Provides capabilities around content life-cycle management (CLM).

    SAP GRC Risk Management

    Read more about Risk Management Philosophy, Challenges and Drivers

    SAP GRC Risk Management brings risks and controls together, integrating Access Control and Process Control into a single platform from which the summarized view of business process and their respective automated controls could be reported, evaluated and enhanced.

    • Transforms Risk Management program into a routine of business activities, embedding risk management into the core business processes of strategic planning, execution, monitoring, and analysis.
    • Helps establish Risk Management as a management discipline offering the methods and processes to identify, assess, measure, and monitor risks within the business.

    SAP Help Portal: http://help.sap.com/grc